Comware

We have several HPE 1920-24G switches (JG924A). They are running the latest available firmware. Everything works great on the switch except for when we enable MAC Authentication. When it's enabled, all packets on the switch will drop once or twice every 1-5 minutes. For example, if I have 4 workstations plugged into the switch, all plugged into MAC Authentication enabled ports, and they are all pinging each other, once or twice ever few minutes the ping packets will all timeout at the same time. I only get 1 ping packet timing out, so it's a very brief issue. There are no logs on the switch indicating a problem and there is no MAC authentication happening at the time of the drop. This issue is happening on all of our 1920 switches. I was also able to reproduce it with a new spare 1920 we have and tested with. I contacted HP support and they said it was a configuration issue and offered paid support. If I disable MAC Authentication, the issue goes away, so it's definetly related.

Does anyone have helpful advice or expericence with MAC Authentication?

Below is the relavant configuration settings related to MAC Authentication.

mac-authentication
mac-authentication domain MYDOMAIN
 
radius scheme MYRADIUS
 primary authentication 192.168.5.104 key cipher {Cipher Key Here}
 secondary authentication 192.168.1.100 key cipher {Cipher Key Here}
 key authentication cipher {Cipher Key Here}
 key accounting cipher {Cipher Key Here}
 user-name-format without-domain
 
domain MYDOMAIN
 authentication lan-access radius-scheme MYRADIUS
 authorization lan-access radius-scheme MYRADIUS
 access-limit disable
 state active
 idle-cut disable
 self-service-url disable

Have you tried to set a higher mac-authentication off-line detect timer. By default it is 5 minutes.

Try to set it higher and see what the result is. As you are pinging, there is traffic so the switch shouldn't throw you out.. but what if there was a bug..  If you change this timer and the behaviour changes you can report that as a bug because that wouldn't be normal.

Set the offline detect timer

mac-authentication timer offline-detect offline-detect-value

Optional

300 seconds by default

Are there any news regarding this issue? Stumpled upon this problem by preparing a new 1920 for our branch office, strange behavoir. Firmware here is the latest i.e. 5.20.99 Release 1117. Increasing offline detection timer seems to help, but then you can't work with a daisy chained switch, i.e. a NJ5000 on the edge, because the port goes not offline then when the device moves and the user is not amused to wait for reauthenication 1h or so....

Yes, when I lower the value Offline Detection Period value to 60s, every minute 1 or 2 ping pakets are lost. Seems to be a bug, because there is no reason for a reauthentication, therefore I opened a case at HPE. 

Here the answer from HPE Support:

...there is a limitation on 1920 that the device cannot detect whether terminal users are still online or not, so by default every "offline detect period" all online users will be logged out by the offline timer and user can re-authenticate to go back online. In the meantime there may be temporary packet dropping or delayed forwarding. 

I recommendation is to increase the offline timer so that effect of this limitation of 1920 is minimized.

So that's it.  In setups with daisy chained switches behind a 1920 where the port not goes offline when a user moves you can't really use this feature.